[mosx86]

I’ve been using denyhosts — http://denyhosts.sourceforge.net/ — with great success and basically have running as a daemon being monitored by launchd.

The 10.4 configuration directions are a little wonky and want you to use asl.log, but secure.log works just fine and you don’t have to mess with the SSHD REGEX.

Also, you notice that in 10.5 the asl.log is a binary file. There is a syslog command you can use to read it, but I don’t think it’s possible to use it w/ denyhosts so you’ll be using the secure.log anyway.

Getting daemon mode to work with launchd is pretty trivial and you can use something like lingon to create the plist and load it.

[mosx86]

I haven’t set one up in 10.5 yet, but we are running a Mac OS 10.4 ODmaster as a PDC and our 10.4 ODreplica as a BDC. Neither system is serving files as we have dedicated file servers for that. We have around 85 Windows XP clients connected to the domain and there haven’t been many problems.

If you’re familiar with setting up a PDC on Linux then you may be a step ahead as Apple’s PDC documentation is not very deep. A few issues we ran into with our setup are that there can be no workgroups with the same name as the Domain, and with the SID not being properly wiped from a previous attempt to set a PDC up.

I’m working on setting up a test PDC w/ 10.5.2 but have only tested it w/ Vista and thus far haven’t been able to get Vista to join. You may wish to look at [url=https://www.afp548.com/forum/viewtopic.php?showtopic=20187]this[/url] thread for more information on that…

[mosx86]

[QUOTE][u]Quote by: MacTroll[/u][p]You can have dirt use a specific auth method.

dirt -a nt -u user[/p][/QUOTE]

That will only test the SMB-NT password, not the SMB-NTLMv2.

I haven’t found out how to verify the SMB-NTLMv2 as of yet.

Here is the password log when running the above dirt command:

[b]Apr 10 2008 09:53:20 AUTH2: {slotID, diradmin} SMB-NT authentication succeeded.[/b]

Here is the password log when trying to join Vista to the 10.5.2 OD PDC domain:

[b]Apr 10 2008 12:23:42 DoAuth: {slotID, diradmin} SMB-NTLMv2 authentication failed, SASL error -13 (password incorrect).[/b]

[mosx86]

[QUOTE][u]Quote by: Vegan_admin[/u][p]Sorry this is an OD master running leopard 10.5.2.
Im really lost here…[/p][/QUOTE]

I’m working on something similar but haven’t had time to get into it too deeply yet. On my setup, NTLMv2 password authentication is failing. You can use ‘dirt’ to check the SMB password, but it doesn’t use NTLMv2 so I’m not exactly sure how to verify that…

I will post more as I get a chance to look at it (hopefully by next week)…

[mosx86]

Is this ODmaster, Tiger or Leopard?

[mosx86]

I’m sorry, could you elaborate a little more on your setup. You mention a Windows 2003 Server in there so I’m not clear on what is going on.

You’ve got a Mac OS X Server running as an OD Master and serving as your PDC as well. Where does the Windows 2003 Server come in? Is the Windows server a member of the Mac’s PDC domain, or is the Mac OD Master bound to the Windows server?

[mosx86]

Still trying to track down this issue where clients will momentarily hang. I suspect it to be an issue with DirectoryServices as in a few cases, users have lost access to their files while they are still mounted. Restarting DirectoryServices clears this up.

What I’m not sure about is how to track this down to a problem on the clients or is it merely symptoms of a larger problem with my OD/replica setup.

Any ideas?

[mosx86]

What happens if you restart directory services?

[mosx86]

[QUOTE][u]Quote by: MacTroll[/u][p]1. are you reacting to something not working or just poking around in top and seeing the stuck process?[/quote]

Over the past few weeks users have been complaining of their systems suddenly hanging for a few seconds intermittently, including hanging up to minute or so on logins (we’re on network homes). I’m not seeing any abnormal traffic on the either the network or from the file servers. Users aren’t getting any errors that they’re losing connectivity, everything just seems to hang and then go back to normal. I’ve looked in the AFP logs, the system log, the asl log, the DS logs and am not finding anything unusual.

I was looking at top when I noticed that PasswordService was “stuck” and I don’t recall ever seeing it in this state. I don’t think PasswordService would be causing the problem but am wondering if could be a problem with DirectorySerivce.

We ran into a little problem a few weeks back when I updated the Master and Replica to 10.4.11 and the replica decided it was the parent and borked our password database. I’ve worked w/ Apple on that and ended up doing a deep clean of the replica before recreating it. The hanging issue matches the timeline for the problems we had with the replica.

[quote]2. What else is your system doing?[/quote]

The system is an OD master and also runs our PDC. We have one replica in the loop. So aside from handling those duties it’s not doing anything else. Both master and replica are running 10.4.11.

[quote]If you do have a lot of I/O it’s not entirely out of the question that PWS would be waiting on a disk operation to complete before it could continue.[/p][/QUOTE]

The master seems to get the lion’s share of lookups, I’m wondering if the disk activity is being driven by this, though it still seems a bit high to me.

[mosx86]

[QUOTE][u]Quote by: computerpros[/u][p]I have two 10.4.10 xServes, one is the OD Master and a Windows PDC.
The OD Master sees the OD Replica which is updating to the OD Master.

My second xServe, the OD Replica and wannabe Windows BDC. but when I try CHANGE it’s Windows Services Role from Standalone Server to a BackUp Domain Controller (BDC), it fails.

I change its Role to BDC
I enter the Domain, press SAVE
I enter the diradmin username & password (I’ve tried every other Admin password as well)

RESULT = “Error while writing settings (Unable to join the domain)”
Then it reverts back to a Standalone Server.

ANY IDEAS what the problem is or how to rectify it?

Thanks![/p][/QUOTE]

As strange as this sounds, you don’t have permission to write to the proper directory on the replica that SMB stores the files it uses to be a BDC, basically the secrets.tdb file.

/var/db/samba

At least that’s the problem I had… 😉

Of note, when I enable the BDC, my whole windows domain stops authenticating, but I am having issues w/ my replica right now… 😉

[mosx86]

[QUOTE][u]Quote by: alternapop[/u][p]
We had an Xserve running both AFP and Windows filesharing. Both were working fine but then AFP starting failing to authenticate users. Windows filesharing continued to work. I tried to stop and restart AFP via Server Admin but that didn’t solve the problem. I rebooted the server and everything worked fine.

I’d like to know how to fix this in the future without rebooting the entire OS. I’m assuming I can kill AFP and restart it via command line but I don’t know how to do this. What is the recommended method?

Is there documentation that someone can provide that explains this sort of thing? How to troubleshoot OS X Server problems beyond the GUI?

Thanks![/p][/QUOTE]

What were the logs saying? Is this an Open Directory server, or bound to an open directory server?

[mosx86]

[QUOTE][u]Quote by: rangerwwc[/u][p]Running a 10.4 OD Server with AFP sharepoints. I want to be able to connect directly to a users home folder w/o having to input the specific user name. In Windows all you do is connect to (start, run) \\server\share\%username% & whoever your logged in as is the folder that will pop up (assuming that your user name & folder is named the same).

Is there any way to do the equivalent in the MAC “Connect to” line?

I’ve tried (with and w/o afp://) with no luck –

afp://server/sharepoint/$uid$
afp://server/sharepoint/$username$

Any thoughts…………..anyone…………..Bueller?

Thanks in advanced.

~ Will[/p][/QUOTE]

afp://username@server/share

Type this in textedit, drag the text to the desktop and viola… You can simply click on the resultant file to bring up the share, all you have to do is enter your password (unless kerberos is involved). If you want to be less secure, afp://username:password@server/share will get you right in.

You can even create login items this way so the server mounts on login.

[mosx86]

[QUOTE][u]Quote by: fhmiv[/u][p]A follow-up question – should I be using WINS or should I add SRV entries for the PDC to my DNS?

I’m running Bind-9.2.2 and dhcp-3.0pl2 on an old Linux system. Can the 10.4 included Samba publish the SRV entries dynamically to the DNS or would I need to put them in by hand? [/p][/QUOTE]

I’m not sure. We’ve set our PDC to register with our DNS server that is serving WINS.

[mosx86]

[QUOTE][u]Quote by: mosx86[/u][p]Just throwing two ideas out there…

1. If you have a workgroup that is named the same as the domain on the same network it will result in behavior very close to what you’re describing…

2. If your new PDC is using the same domain name as the previous one, your clients may be expecting to see the previous SID. [/p][/QUOTE]

This may be helpful as well: (while this is regarding 10.4=>10.5, the process should be the same from 10.3=>10.4).

http://lists.apple.com/archives/macos-x-server/2007/Nov/msg00607.html

[mosx86]

Just throwing two ideas out there…

1. If you have a workgroup that is named the same as the domain on the same network it will result in behavior very close to what you’re describing…

2. If your new PDC is using the same domain name as the previous one, your clients may be expecting to see the previous SID.

[Author]

Posts